CVE-2022-22950 SpEL expressions in older versions of Spring Framework 5.3.0 - 5.3.16 can be used to cause a denial of service.

CVE-2022-22950 SpEL expressions in older versions of Spring Framework 5.3.0 - 5.3.16 can be used to cause a denial of service.

This denial of service condition can occur if the user passes a SpEL expression that calls the doFilter() method of a JSF component directly. The doFilter() method is not supported in version 5.3.0 or 5.3.1 of the Spring Framework due to the change in the doFilter() signature. Before version 5.3.0, doFilter() was supported and was changed to match the signature required by the Servlet 3.0 specification. In versions of the Spring Framework prior to 5.3.0 and 5.3.1, doFilter() returns false, which does not indicate an error and allows the SpEL expression to proceed to the next method call. If a user passes a SpEL expression that calls the doFilter() method of a JSF component, the doFilter() method is not supported, and an IllegalStateException is thrown. This can lead to a denial of service condition for the application if the user passes a SpEL expression that calls the doFilter() method of a JSF component directly.

CVE-2023-23226

This denial of service condition can occur if the user passes an expression that accesses the doFilter() method of a JSF component directly. The doFilter() method is not supported in versions 5.3.0 or 5.3.1 of the Spring Framework due to the change in the doFilter() signature. Before version 5.3.0, doFilter() was supported and was changed to match the signature required by the Servlet 3.0 specification. In versions of the Spring Framework prior to 5.3.0 and 5.3.1, doFilter() returns false, which does not indicate an error and allows the SpEL expression to proceed to the next method call, even if it calls a method that is not supported in versions 5.3.0 or 5.3.1 of the Spring Framework because it is not present in versions prior to these two releases in any release of the Spring Framework before version 5.3 (not all applicable methods are present in all releases). If a user passes an expression that accesses a method that is not supported by versions 5.* of the Spring Framework, an IllegalStateException is thrown without fail-safe behavior by any other code inside this container due to no return value check being performed within this container at run time

Products Affected

All versions of the Spring Framework prior to 5.3.0 and 5.3.1 are affected by this issue.

Symptoms of the DoS Condition

If a user passes a SpEL expression that calls the doFilter() method of a JSF component directly, the application experiences an IllegalStateException and cannot continue. Some possible symptoms can be:
- Outdated or incorrect version of the Spring Framework
- Permission denied exception during spring-servlet startup
- Unable to create new instances of long running processes
- Incorrect stack trace for the application

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe